feat(query): Add Public Resource

GeekMasher · GeekMasher · commit 67e4b704c91f · 2025-06-11T10:46:01.000+01:00
diff --git a/ql/src/security/CWE-200/PublicResource.md b/ql/src/security/CWE-200/PublicResource.md
@@ -0,0 +1,27 @@
+# Internal Resource is Public to the Internet
+
+This query detects Azure resources that are inadvertently exposed to the public internet. Publicly accessible resources can be targeted by attackers, leading to data breaches, service disruption, or unauthorized access. It is a security best practice to restrict access to internal resources by using private endpoints, network security groups, or firewalls to limit exposure.
+
+## Bad Example: Publicly Accessible Resource
+
+```bicep
+resource storage 'Microsoft.Storage/storageAccounts@2021-02-01' = {
+  name: 'publicstorage'
+  location: 'eastus'
+  properties: {
+    allowBlobPublicAccess: true // BAD: Public access is enabled
+  }
+}
+```
+
+## Good Example: Internal-Only Resource
+
+```bicep
+resource storage 'Microsoft.Storage/storageAccounts@2021-02-01' = {
+  name: 'privatestorage'
+  location: 'eastus'
+  properties: {
+    allowBlobPublicAccess: false // GOOD: Public access is disabled
+  }
+}
+```
diff --git a/ql/src/security/CWE-200/PublicResource.ql b/ql/src/security/CWE-200/PublicResource.ql
@@ -0,0 +1,18 @@
+/**
+ * @name Internal Resource Public to the Internet
+ * @description Internal resources should not be publicly accessible to the Internet.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 8.0
+ * @precision high
+ * @id bicep/public-resource
+ * @tags security
+ *       bicep
+ *       azure
+ */
+
+import bicep
+
+from PublicResource resource
+select resource.getPublicAccessProperty(),
+  "Resource '" + resource.getName() + "' is publicly accessible to the Internet."
diff --git a/ql/test/queries-tests/security/CWE-200/PublicResource/PublicBucket.expected b/ql/test/queries-tests/security/CWE-200/PublicResource/PublicBucket.expected
@@ -0,0 +1,3 @@
+| app.bicep:6:26:6:34 | String | Resource 'publicdbserver' is publicly accessible to the Internet. |
+| app.bicep:6:26:6:34 | String | Resource 'publicdbserver' is publicly accessible to the Internet. |
+| app.bicep:6:26:6:34 | String | Resource 'publicdbserver' is publicly accessible to the Internet. |
diff --git a/ql/test/queries-tests/security/CWE-200/PublicResource/PublicBucket.qlref b/ql/test/queries-tests/security/CWE-200/PublicResource/PublicBucket.qlref
@@ -0,0 +1 @@
+security/CWE-200/PublicResource.ql
diff --git a/ql/test/queries-tests/security/CWE-200/PublicResource/app.bicep b/ql/test/queries-tests/security/CWE-200/PublicResource/app.bicep
@@ -0,0 +1,10 @@
+resource db 'Microsoft.Sql/servers@2021-02-01-preview' = {
+  name: 'publicdbserver'
+  location: 'eastus'
+  properties: {
+    version: '12.0'
+    publicNetworkAccess: 'Enabled' // BAD: Database is publicly accessible
+    minimalTlsVersion: '1.0' // BAD: Weak TLS version
+    sslEnforcement: 'Disabled' // BAD: SSL enforcement is disabled
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+\| app.bicep:6:26:6:34 \| String \| Resource 'publicdbserver' is publicly accessible to the Internet. \|`
	`2`	`+\| app.bicep:6:26:6:34 \| String \| Resource 'publicdbserver' is publicly accessible to the Internet. \|`
	`3`	`+\| app.bicep:6:26:6:34 \| String \| Resource 'publicdbserver' is publicly accessible to the Internet. \|`